I'm participating in the Ubuntu App Showdown and my submission is going to make use of third-party web services that use OAuth to release their protected data to clients. Given that the rules state that the app must be open source, I was wondering if an exemption could be made for a single file containing the OAuth secrets, so that they are not being freely distributed.

The risk with a distributed OAuth secret is that they are bound to specific apps so the service can tell which app is requesting what data from which user. If these secrets get into the open, it will allow parties with malicious intent to imitate a request coming from a legitimate app, causing that app to be blamed for any wrong-doing committed using the compromised credentials.

I'd be willing to provide the credentials file to the judges in private if they so desire.

Given the general requirement for submissions to the software centre to be open source, perhaps such an exemption could be made in the submission policy as well.

1 Answer
1

Depending on which web service you want to use, the answer is one of those:

1) You can't, period

If the service absolutely requires you to completely protect the token secret, then desktop applications are out of luck. Even closed-source applications can have their binaries examined or be memory dumped during HTTP requests. If the web service enforces such a rigid rule, they are either out of touch with reality or expect only web applications to use their API.

2) Just obfuscate

Some web services are tolerant if you simply don't make the secret immediately available. Just use a simple reversible obfuscation scheme that does not require closing the source.

3) Don't protect at all

You can see here that Google is an example of service that recognizes that full secret protection is a lost battle for desktop apps. For those, you can put the key in the open source and be happy.

So I recommend you to contact the service support and ask in which of those cases you are.

It might be a good idea to add a warning against re-using the key for other apps in the source comments and/or in the COPYRIGHT file, and recommend others to request their own key? (In theory you can sue them for abusing your key, I suppose, especially if they cause troubles and damage your reputation…)
–
JanCJun 16 '12 at 18:15